Concluding Remarks

Some concluding remarks are in order. Opinions are those of the primary investigator, Raymond Lutz.

RoV not prepared for oversight

It is a common observation by COPs regarding not only the Registrar of Voters, but virtually all other bodies we have attempted to oversee. They are absolutely not prepared for structured oversight by citizens and indeed a bit shocked when such thorough oversight is attempted. It would be very helpful if elections and other county officials embraced the desperately needed oversight function provided by groups like COPs. They don't. Instead of being provided with a complete documentation package which could be easily provided to anyone and everyone on their web site, they resist the oversight function, making almost no documentation available and making it necessary to reverse-engineer their processes, spending countless hours just trying to find out what they intend to do before we can find out if 1) they are doing it, and 2) it is the right thing to do. Of course, if nothing is documented, there is little chance that they will be cited for not following their own procedures or that they will be pestered by any suggestions for corrections or enhancements.

Likely to be Productive

The method of oversight COPs used in the production of this document is a departure from other oversight methodologies, such as exit polling and post-election random audits. Those approaches tend to disregard the actual detailed operation of the Ro V, and instead they compare the official canvass result against exit poll results or inspect ballots in a set of precincts. In contrast, the method used here is to carefully review the intended procedures in use by the Ro V, make sure they adhere to those procedures and push for changes in the procedures when they are insufficient or wrong. In addition, we check the progress of the election in minute detail as it is processed by the Ro V. Perhaps the most important result of this effort is to understand that we can potentially track every move of the central tabulator with a more robust audit log, hopefully one that will be sufficient to allow us to reproduce the results and thereby prohibit central tabulator manipulation or even honest mistakes. If that is not possible, we propose the use of simple audit devices that capture every bit on the communication cables to the central tabulator, and make that information available to audit teams.

We look forward to a continued productive relationship with the San Diego County Registrar of Voters, the California Secretary of State, and the California State Legislature and Executive branch to bring these issues to a productive conclusion.

Precinct hand-counting is not practical

It is the opinion of the primary investigator, based on the poor performance of precincts in reconciling the count of ballots, that it is not feasible to expect these precincts to hand-count the entire election on election night, and the public will provide oversight for each precinct. In our sample, 83% of precincts were not able to reconcile the count of ballots, let alone trying to tally the entire election. The number of ballot options that any precinct would need to tally were commonly more than 60. COPs video recorded the hand-tally operation of the single precinct in Potrero in the December 11, 2007 VBM recall election of the Potrero Planning Group members who had voted to approve the Blackwater training camp. With only 10 races (5 recall questions and 5 replacements) and about 375 voters, the counting process still took nearly four hours using a fresh tally team, and then it was repeated to check on those results, for a total of about eight hours. The video of this counting process is available on the COPs website.) Although the tally process could be expedited through use of other methods (such as the "sort and stack" method), expecting tired poll workers to perform this duty is beyond reason. Fresh teams of poll workers may be able to perform this duty, but the fact remains that any recounting or oversight function becomes nearly impossible. Oversight of 1697 precincts and finding fresh teams of people that are highly training to perform the tally function for every precinct will be difficult if not impossible.

And, the hand-counting method does not deal with VBM ballots that now comprise a large fraction of the ballots received (about 60%).

Instead, COPs does not consider the use of electronic equipment a lost cause, as long as there is sufficient visibility to the entire process. Key to the ability of oversight groups to perform their duties is to be able to view the central tabulator audit log. COPs encourages election integrity groups that promote hand-counting of paper ballots as the only best solution to reconsider, and would like to point out the Open Canvass method which proposes that all ballots be scanned and provided to competing recognition and tabulation groups. Even with the Open Canvass method, it is necessary to maintain strict chain-of-custody and other accounting that is raised as a concern in this report.

Application to other elective districts

COPs encourages oversight groups to use the approach of this report as a template to provide oversight to elective districts across the nation. It is a big job and will require hundreds or thousands of committed citizens to provide the oversight necessary to tame our dysfunctional elective process. But it must be done, and now is the time to start.

Did our investigation detect any fraud, or were these just honest mistakes?

[This section was added after the initial release of the report based on questions from reviewers]

As clearly described in the body of this document, there are many issues that can be cleaned up by the Ro V to improve confidence in our elections. But, even with those deficiencies, is there any evidence of malfeasance or "rigging" of the elections by officials or by outsiders? The PEMT (1% Manual Tally) detected failures in 29% of the initial sample of 17 precincts, and 5 missing ballots were detected, but are those failures sufficient to prove that the election results are in doubt?

Perhaps the best way to provide an analysis of this question is to present possible attack vectors based on vulnerabilities that exist based on our analysis. It is important to note that we are not making any accusations of malfeasance. In such an analysis, we must assume that no person can be trusted, and we must rely on procedures and documentation to guard against attacks. These scenarios are sometimes difficult for those involved to entertain, much like a couple discussing a prenuptial agreement. To discover a means to guard against the attacks, however, requires that we consider the possibility that insiders are involved to the extent necessary to allow the attacks to complete. We do this only to determine a means to guard against the attacks.

Chain of Custody Attacks

Ro V documentation described 99 cases of incorrect, broken, or missing seals, and there is no attempt to log and track seal serial numbers. There is no SPUW (supply pick-up weekend) procedure or overall report that might further document the overall number of blank ballots available. There is very loose control of VBM ballots once they are removed from their envelopes. How much might the election be modified with these in mind? The two examples below can be eliminated with improved accounting of ballots and improve seal tracking.

Ballot Substitution Attack

This attack requires additional blank ballots that could have been printed by the ballot printing vendor. Ballots in boxes in transit to the Tally Center are substituted with the additional ballots, voted according to the desires of the attacker. Since the seal serial numbers are not tracked, the attackers could have tampered with any cartons and resealed those cartons. The 99 cartons with suspect seals may only be decoys.

It would be most likely applied to a single or a few vans on their way between Collection Centers and the Tally Center, so it would affect an average of 22 precincts for each van that is compromised. Each precinct has an average of about 400 ballots, so the total risk is about 8700 ballots per van. It could affect VBM ballots as well if an insider substituted the ballots before they were scanned. The substituted ballots could not choose races with the desired outcome for more than perhaps 40% of what would be expected or it would be obvious to an outsider, so that could mean that the desired race would get a bump of 0.40 x 8700 ballots, or 3480 ballots, and if the race choice was changed, that would amount to a net margin change of twice that amount, or nearly 7,000 votes. In local races, this would clearly be sufficient to change the outcome of the race, and there is no way to detect the attack once it has been successfully completed.

Ballot Remarking Attack

Similar to the above attack, but in this attack, the attackers modify the existing ballots by adding marking to them, typically to over vote on ballots that are already voted opposite to their desired race outcome, and if the race is left blank, they vote for their desired outcome. This attack can be detected by a large number of overvotes in a race. This attack does not require any blank ballots to be printed, but it requires a significant amount of time to complete.

Scanning Attacks

Proprietary scanners provided by Diebold Systems (now Premier Election Solutions) contains secret firmware that may have hooks for improvements or enhancements. Scanner memory cards for specific precincts may have embedded computer code that can modify the reported results for those precincts, perhaps flipping the winners of those races.

When applied to the ballots processed on election night, this attack can be detected by a sufficiently large sample of precincts and manually tally them, with close races requiring a larger percentage sample. In the last election, our calculations showed a 5% sample would be sufficient but a 1% sample may not detect this attack.

Central Tabulator Attacks

The central tabulator simply adds up the votes for each race. Although certified by the So S, there still exists a risk that the central tabulator software will become compromised, particularly if connected directly to DRE devices. Although banned from such direct connection, DRE's were connected directly to the central tabulator in the November 2008 election, according to the audit log. If applied to VBM ballots, there is no way to check on these attacks short of a complete manual tally of the VBM ballots for that precinct. The current PEMT is done so early in the process, and it includes a report-substitution vulnerability, so it is of little use to guard against this attack.

Improved tracking of VBM ballots, a comprehensive (post election) PEMT and an improved (exhaustive reporting) audit log or audit devices on communication cables connected to the central tabulator can eliminate these attacks.

Summary

In summary, the current level of transparency does not provide sufficient observational detail to allow us to prove that malfeasance exists nor to prove that it does not exist. Improving the audit trail will allow us to provide an independent analysis that there are no known attack vectors and that the results can be trusted.